Security News This Week: Apple Patches a Very Bad iOS HomeKit Bug
Credit to Author: Lily Hay Newman| Date: Sun, 10 Dec 2017 14:00:00 +0000
Political turmoil and hijinks abounded this week, but there were plenty of security antics playing out online, too. Researcher Sabri Haddouche released a suite of tricks and tools, collectively called Mailsploit, that allow you to send perfectly spoofed messages from more than a dozen popular email clients. The flaws open up endless phishing possibilities. And speaking of phishing, new research shows a spike in the use of HTTPS web encryption on phishing sites. Attackers want the green padlock that comes with HTTPS to make their phishing sites look more legitimate and persuasive to potential victims. At least the ad blocker Ghostery is working on using artificial intelligence to catch—and block—new types of ad-trackers more quickly.
Meanwhile, a group of Iranian hackers has been probing critical infrastructure companies as part of institutional intrusions dating back to 2014, according to a report from the security firm FireEye. And there's new evidence that the Ethiopian government is using commercial spyware to snoop on journalists around the world.
Researchers and lawmakers are increasingly raising the alarm about the threat quantum computing poses to current digital security schemes like encryption protocols, and Microsoft Research has developed a secure microcontroller for electronics before billions of devices get wireless connections and join the never-ending Internet of Things security meltdown. Plus, you can track the evolution of data breaches for yourself using this handy visualization.
And people, truly, do yourselves a favor and check out The WIRED Guide to Digital Security. It'll get you thinking about what protections you as an individual need, whether you're a hermit or a spy, and it can help you start 2018 on more secure footing.
But, wait, there's more! As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.
There's usually little to no security news about Apple software bugs, but lately the company has suffered a string of problematic vulnerabilities. The latest was flaw in iOS HomeKit that could allow an attacker with access to a device's corresponding iCloud account to remote control smart home products, like smart locks and garage door openers. Apple announced a temporary server-side fix on Thursday when news of the bug became public, and the company said it will push a complete patch early next week. The attack would have only affected iOS 11, and wouldn't have been easy to carry out, but given the security problems that have come up with macOS High Sierra, it's significant that bad bugs are showing up in Apple's latest mobile operating system as well.
Officials Take Down the Massive Andromeda Botnet NetworkOn Monday, an international group of law enforcement authorities, including Europol and the FBI, announced that it had taken down the Andromeda malware family (also known as Gamarue) and dismantled its 464 separate botnets. Andromeda was a criminal platform-for-hire that other attackers could rent time on to build malicious tools like keyloggers, launch DDoS attacks and spamming campaigns, and distribute their own malware. The botnet included 1,500 malware distributing domains and at least two million unique victim IP addresses in 223 countries. The years-long investigation to take down the sprawling platform required cooperation from Austria, Belgium, Finland, France, Italy, the Netherlands, Poland, Spain, the United Kingdom, Australia, Belarus, Canada, Montenegro, Singapore and Taiwan. Officials in Belarus also reported that they arrested one of the key Andromeda participants, known online as "Ar3s," thanks to a slip-up he made that allowed them to discover his true identity.
Researchers Find Vulnerability in Bluetooth Gun SafeThe high-tech gun safe maker Vaultek had to issue a firmware update for one of its most popular safes, the VT20i, after researchers discovered three major Bluetooth vulnerabilities in the product. Vaultek issued its patches this summer, but the researchers from the security software firm Two Six Labs waited to disclose the issues to give users time to install them. In one bug, an attacker could brute-force the safe's main unlock PIN, because the Bluetooth pairing code for each safe was just its PIN number, and the app allowed unlimited pairing attempts. In another, the researchers noticed that once a device was paired to a safe, the app could unlock the safe with any PIN number, not necessarily the correct one. And, just as a fun bonus, the app was also transmitting PINs to the safe in plaintext, even though the company claims to encrypt them.
IoT Botnet Uses New Strain of Mirai to Recruit 100,000 RoutersThe Mirai Internet of Things botnet malware is famously open source; new versions crop up all the time, dividing and redividing the pool of vulnerable devices into different botnets. But a new strain has been able to amass about 90,000 infected routers by exploiting a recently discovered vulnerability in two types of Huawei routers even if they're protected by strong passwords, and can't be remotely controlled. The Mirai variant also includes a database of 65,000 username and password pairs for compromising other devices, and the botnet includes 10,000 additional devices beyond the Huawei routers. The powerful botnet has been around for a couple of weeks now, but the owner hasn't used it for any attacks—yet.